USR Firewall won't let me play?

Posted: Wed Nov 03, 2004 11:49 pm

Is your network reachable? Yes
Are you using a port-forward? Yes
Is your console being detected? Yes
Brief description of your network setup: Xbox and PC both connected via cable to USR9106 router
Do you use a software firewall? What brand? Have you made any changes to it? Router comes with firewall - can't disable it!
Operating System? XP Pro
Problem description? Despite simplifying the network (removing wireless entirely) I *still* can't get into any games. Everything seems to report that it's working OK.

[KaiUserConfig]
kaiUsername=sabre2
kaiPassword=
kaiPort=30000
kaiDeepPort=0
kaiAccept=LOCAL
kaiTimeout=NOUI
kaiNIC=2
kaiLaunch=BOTH
kaiHomebrew=OFF
kaiPAT=OFF
kaiAutoLogin=ON
kaiAllowBadNICS=ON
kaiWireless=
kaiUI=Default

From what I can gather, my problem is the firewall built into this router. It can't be disabled. I've allowed these IP addresses/ports inbound[1]:

Kai ALL TCP/UDP 0.0.0.1
Kai2 ALL TCP/UDP 3074
kai3 ALL TCP/UDP 30000

and added this port forward[1]:

kai 30000 30000 TCP 30000 30000 192.168.1.2
kai 30000 30000 UDP 30000 30000 192.168.1.2

but according to https://grc.com/x/ne.dll?bh0bkyd2 I'm still super-stealthy! What have I done wrong/what else do I need to do to get this working?

Many thanks
John
[1] Copied from the web interface

Team XLink Moderator Joined: 21 May 2004 Posts: 1215

Is 192.168.2.1 the IP you forwarded the ports to? Because that looks like the router's ip / gateway. If that's the case, enter the IP of the PC running Kai here. If I misread it you can neglect it Smile

.
And, although not helping here, you don't need to forward the port TCP, UDP is all it needs.

Can't help you any further I'm afraid. Just hang in and wait for the experts Wink

-tizzo

Posted: Thu Nov 04, 2004 9:07 am

[SaD]TizzO wrote:

Is 192.168.2.1 the IP you forwarded the ports to? Because that looks like the router's ip / gateway. If that's the case, enter the IP of the PC running Kai here. If I misread it you can neglect it Smile

.
And, although not helping here, you don't need to forward the port TCP, UDP is all it needs.

Can't help you any further I'm afraid. Just hang in and wait for the experts Wink

-tizzo

192.168.1.1 is the router, 192.168.1.2 is the PC running Kai.

Thanks for looking!

John

Posted: Thu Nov 04, 2004 1:07 pm

A router's firewall shouldn't stop internal traffic at all, btu this sounds like a secure firewall.

Technically, a port-forward should open a hole in your router on the specific port. Firewalling is thus ignored for that port-forward (or so it should be). Did you try removing all those inbound firewall rules? The way you've set it up, leaves me to believe there's both a firewall section and a port-forwarding section on your USR's router web control panel.

Either way, you shouldn't have to touch firewall settings on the router, just port-forwarding.

Posted: Thu Nov 04, 2004 1:24 pm

dfunked wrote:

A router's firewall shouldn't stop internal traffic at all, btu this sounds like a secure firewall.

The default rules are to allow anything outbound (unless specifically blocked, which I'm not doing) and nothing inbound except where rules permit, which is where my rules come in.

dfunked wrote:

Technically, a port-forward should open a hole in your router on the specific port. Firewalling is thus ignored for that port-forward (or so it should be). Did you try removing all those inbound firewall rules? The way you've set it up, leaves me to believe there's both a firewall section and a port-forwarding section on your USR's router web control panel.

Either way, you shouldn't have to touch firewall settings on the router, just port-forwarding.

There are indeed two different areas for IP filtering and port forwarding, and like you I did wonder about the apparent redundancy, but I figured that the more permissive rules would apply. What IP address am I expecting port 30000 to show up on?

I've asked a more general question about the exact purpose of these rules in a more general forum, hoping to get a better understanding of what the application is doing.

Thanks for your comments
John

Posted: Thu Nov 04, 2004 1:33 pm

PASTING FROM THAT OTHER THREAD

OK, here's how it goes.

If you port-forward, you need to put a portforward (we suggest 30000 UDP) and point it to the PC that runs Kai. That's all well and good, but if you're running a software firewall, it has no idea what port 30000 traffic is for, thus it blocks it. So, *ONLY* if you port-forward, you need to also set a firewall rule to let that accept traffic on that port (most cases 30000). Now, if you ask me, that's silly, because you're just doubling up firewall layers (all routers have them), and you're just some really paranoid dude Very Happy

Second, 0.0.0.1 is the XBox IP address of the XBox, while it performs system link. The port it works with, is 3074 UDP. Both 0.0.0.1 and 3074 UDP are *inbound* to the PC, but they're also *internal*. They're only requests coming from YOUR XBox, not the others you are connected to.

Please note, that software firewall settings are COMPLETELY different to hardware firewalls (that are built into routers). Port-forwarding does 2 things. It opens up a hole on your router, and lets any traffic on a certain port get pushed through to the internal IP you specify. It also means that it sets an exclusion automatically in the router's firewall functions (you probably won't even see it show up as a rule, but some DLink routers actually show all enabled port-forwards also as exclusions in the firewall section).

So, if you're router's new, it's got a firewall, and I say uninstall the firewall on the PC, there's really no point (unless you invite hackers and crackers over for tea and let them hook up to your internal network Very Happy

)

Quote:

Is traffic using this port coming from an IP address other than 0.0.0.1? Presumably so, or it would be redundant.

Yes, it is. 0.0.0.1 works with port 3074 UDP. NOTHING ELSE. This is the XBox's design.

Quote:

Finally, in both cases, can I make the destination IP address the PC running the KAI engine?

If you're talking about port-forwarding on the router, that is exactly what you're supposed to do. Point it to wherever the kaiEngine is running. If you read above and took on board the suggestion of trashing this software firewall, you'll make life easier for yourself.

You make no mention here if you actually do run a software firewall, just a hardware firewall built into the router. In that case, remove all 'rules', except the port forward. Make sure that this number is also set into the Kai Configuration Tool under 'Kai Port'.

Team XLink Administrator Joined: 21 May 2004 Posts: 3354

Whats the status Sabre2?

Posted: Mon Nov 08, 2004 11:45 am

Status is, it works!

I removed all the (useless) rules from the hardware firewall(/router) on my ADSL connection, leaving only a port forward on 30000. I rebooted the router - not sure if this step is necessary to get it to apply the port forward but figured it couldn't do any harm. I'd already reduced the network to the simplest possible, hardwired configuration. Finally got to connect to a game or to, getting my ass comprehensively kicked for my troubles.

I've since reintroduced wireless for the Xbox to router connection, still works OK. I've also got hold of XBMC, but although it all *seems* to work I've realised that troubleshooting requires a game to be present, at the time you need it.

Lessons, for those who might pass this way -

* Don't be lulled by the fact that configuration says the network is reachable and the console is configured. The mystical port forward may very well still be needed. It says so in the documentation and it's not kidding.

* Halo is an inconvenient game to use for troubleshooting. I suppose every game treats system link differently, but it would be great if there could be a 'spoof' game that could be connected to for troubleshooting purposes, that would give enough of a response to any game to let you see that *something* was happening.

* It's hard to find anyone at midnight.

Cheers to the XLink crew.

John

Posted: Mon Nov 08, 2004 12:02 pm

YAY